From nobody Wed Apr 09 19:30:44 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZXtMm5n9wz5sGHw;
	Wed, 09 Apr 2025 19:30:44 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZXtMm4xwFz45Ms;
	Wed, 09 Apr 2025 19:30:44 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1744227044;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=t8B3cBOOcUocvHed8UfocgGxc14n57qXj9UEX3XlbBM=;
	b=YyAFeacd4b1kQenYd5uYV9cb9MV+N8/kYNpcOtK4MZYg6gc6dquLDskeCXMtnxAGySjGz1
	mMu+yCn/X+21Do+3a8NeuO29nggHQMWYFSFO19jqm8nYtfRPjP77/ctoEzXOQVzo/4wbIZ
	N1mEihEvkDQKiFlZLLgg3/z/nahyioYGRuCPXUaVkDtDPfM4t1TQHwmu21Udi7HjW3aMX/
	AJZfLlPCwe4QQDNNBfLKq27FmTW+MdG+5DUk8AxY1CN7fecU7lpGu0W/X5bWvZbNu5n9sr
	oWOcM7Ty3DgyPlLuLZLTRPsP6AOTZmqrwNKYobJoiyO2pDGU/rbZcYo2qKpYmg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1744227044; a=rsa-sha256; cv=none;
	b=fWLTKKFstGKDPmH6fihtBqG2izo9j1YEAc2Q2znYsFdloRMKMw4YpgBKhsqdugGXn+q9lY
	4vpRp9liF+ZvPrycRPvmjzi5CHMbgZ4iMWMLmYxTg17Aeol9ktGbqRRwxCHb15KMyHdCO1
	0oFgkEpA1BqNMK74OtobYLOeS1uuVaOUOKpMHyqZek7577wamojaUG+Xjx7EquykJvHqXl
	vgey5m92hs5BtA3fHv3nXCXLvLhzaJKPqYWSez5DKdu2zu6t6PpBVJHFek9AHOImfVbYls
	WkCQi6Zaf/PNr6jgq4C0NUnoCr8vM+I0LA42rgBt3lh5f42yj2WmYnfGdkkM1w==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1744227044;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=t8B3cBOOcUocvHed8UfocgGxc14n57qXj9UEX3XlbBM=;
	b=yJ8QCMDgSyDMrBbghb7FIrjIt/clouoIQaUrPGy9iN6CHw85hODaUXIvhtGm+moTP2CeFI
	fFXUExfSd3sifqRfQpFws9uTKDUf/rTEIE80mhc+YX1U2Qjm9YXVw7Jq5vJewkEntIVW0G
	T0Dr17m68gCaHWrETw63GJiZsZjsWc710a4LcRgXy0VitTCP0BH/oXG1v9mSE2+bPA8PJ0
	U09w1DWqGnPjbqa98DQNcbuEdOMNaudmLUDOjOrtwAiO0sKgfyza93E9R16jTp14f2GfV6
	+0QplLFLUwQa/vIzqDo+BCNh+7b6nm27CGDPisNqPNznLpwK2byCgzoyfO7Ljw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZXtMm4LmGzVp0;
	Wed, 09 Apr 2025 19:30:44 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 539JUi28080076;
	Wed, 9 Apr 2025 19:30:44 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 539JUiad080073;
	Wed, 9 Apr 2025 19:30:44 GMT
	(envelope-from git)
Date: Wed, 9 Apr 2025 19:30:44 GMT
Message-Id: <202504091930.539JUiad080073@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 0a376f7e7e03 - main - pfctl: route-to, dup-to, reply-to
  should not override the block action
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 0a376f7e7e0346654a74f2acf693187736c983a2
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=0a376f7e7e0346654a74f2acf693187736c983a2

commit 0a376f7e7e0346654a74f2acf693187736c983a2
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-04-09 14:33:29 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-04-09 19:30:17 +0000

    pfctl: route-to, dup-to, reply-to should not override the block action
    
    Spotted by Dilli Paudel <dilli ! paudel at oracle ! com>
    
    ok jung@, ok mikeb@
    
    Add a pfctl test case to ensure this doesn't regress.
    
    Obtained from:  OpenBSD, sashan <sashan@openbsd.org>, 1ae008c822
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/parse.y                   | 14 ++++++++++++--
 sbin/pfctl/tests/files/pf1067.fail   |  1 +
 sbin/pfctl/tests/files/pf1067.in     |  1 +
 sbin/pfctl/tests/pfctl_test_list.inc |  1 +
 4 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 8c01da9e6220..6b85c1b36303 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -5362,8 +5362,9 @@ filter_consistent(struct pfctl_rule *r, int anchor_call)
 			problems++;
 		}
 	}
-	/* match rules rules */
-	if (r->action == PF_MATCH) {
+	/* Basic rule sanity check. */
+	switch (r->action) {
+	case PF_MATCH:
 		if (r->divert.port) {
 			yyerror("divert is not supported on match rules");
 			problems++;
@@ -5377,6 +5378,15 @@ filter_consistent(struct pfctl_rule *r, int anchor_call)
 			yyerror("af-to is not supported on match rules");
 			problems++;
 		}
+		break;
+	case PF_DROP:
+		if (r->rt) {
+			yyerror("route-to, reply-to and dup-to "
+			    "are not supported on block rules");
+			problems++;
+		}
+		break;
+	default:;
 	}
 	if (r->rdr.opts & PF_POOL_STICKYADDR && !r->keep_state) {
 		yyerror("'sticky-address' requires 'keep state'");
diff --git a/sbin/pfctl/tests/files/pf1067.fail b/sbin/pfctl/tests/files/pf1067.fail
new file mode 100644
index 000000000000..23ac1daad64f
--- /dev/null
+++ b/sbin/pfctl/tests/files/pf1067.fail
@@ -0,0 +1 @@
+route-to, reply-to and dup-to are not supported on block rules
diff --git a/sbin/pfctl/tests/files/pf1067.in b/sbin/pfctl/tests/files/pf1067.in
new file mode 100644
index 000000000000..47f3bf6285dd
--- /dev/null
+++ b/sbin/pfctl/tests/files/pf1067.in
@@ -0,0 +1 @@
+block in route-to (if0 127.0.0.1/8)
diff --git a/sbin/pfctl/tests/pfctl_test_list.inc b/sbin/pfctl/tests/pfctl_test_list.inc
index 6a8d76390bd6..7e43556d2c4d 100644
--- a/sbin/pfctl/tests/pfctl_test_list.inc
+++ b/sbin/pfctl/tests/pfctl_test_list.inc
@@ -175,3 +175,4 @@ PFCTL_TEST_IFACE(1063, "Interface translation: IPv6 rule, interface with bracket
 PFCTL_TEST_IFACE(1064, "Interface translation: IPv6 rule, interface with brackets is not translated, extra host, round robin is applied")
 PFCTL_TEST(1065, "no nat")
 PFCTL_TEST(1066, "no rdr")
+PFCTL_TEST_FAIL(1067, "route-to can't be used on block rules")